Dan Lorenc
@lorenc_dan
Followers
11K
Following
39K
Media
1K
Statuses
13K
OSS Supply Chain Security. Founder/CEO/Primary Ariba Admin at https://t.co/sGmuUU9JbG Sigstore: https://t.co/dWKlyYu6kv
The Arena
Joined May 2014
Some actual facts here.
We’re excited to see the security and OSS communities engage on vulnerability disclosure in light of new AI technologies that we believe will enable both defenders and attackers alike. Existing and emerging norms around disclosure are important debates, and we’ve noted the
0
0
3
Hey folks, big news on rural health-CMS just announced all 50 states applied for the $50 billion Rural Health Transformation Program to revamp care in underserved areas! It's a game-changer for access, workforce, and tech in rural spots. Lets check them out so far:
2
1
8
Tragedy of the commons is the dumbest, laziest, worst possible analogy for open source sustainability. Stop using this. Please. Everyone.
Recently, there was a clash between the popular @FFmpeg project, a low-level multimedia library found everywhere… and Google. A Google AI agent found a bug in FFmpeg. FFmpeg is a far-ranging library, supporting niche multimedia files, often through reverse-engineering. It is
2
0
13
Please. Everyone. Stop using tragedy of the commons to describe open source. Just think about it first for like thirty seconds. It's the worst, wrongest, laziest analogy possible. I get it. But it's wrong.
This. Perfectly explained. Reporting issues in an open source project, without providing fixes, and then scaring to disclose the issue if not fixed within a small timeline is a d**k move. You cannot ask anything, if you are not paying for it.
0
0
4
Fun fact: at one point Google had an entire team building a new sandboxing technology just so they could run ffmpeg safely. Later it ended up being used in App Engine and other environments.
13
23
542
It looks like there is a $15k bounty out for an accepted PR that fixes the vulnerability identified by Big Sleep in @FFmpeg: https://t.co/C3v0sikr26 I certainly didn't remember that this program existed, would be a different vibe to mention it in the bug report sent to project
Google literally runs a program to pay people to fix bugs in critical OSS projects. Ffmpeg is explicitly in scope. Anyone can just send a fix and fill out a form and get paid. https://t.co/OWV8g0fmjC This is all so dumb.
4
15
118
Google literally runs a program to pay people to fix bugs in critical OSS projects. Ffmpeg is explicitly in scope. Anyone can just send a fix and fill out a form and get paid. https://t.co/OWV8g0fmjC This is all so dumb.
18
56
1K
Determinate is Nix without the drama. Want to be the first to hear about the work we are doing to make Nix more simple, confident, and secure? Sign-up for our once-a-month newsletter using the link in thread, new issue coming soon! 🔗🧵👇
6
13
81
The year is 2037. Nix still hasn't decided on a path for flakes. @DeterminateSys just released Determinate Nix 23.0.
3
6
29
Joining the discussion are industry leaders @lorenc_dan, Founder and CEO of @chainguard_dev, Caroline Wong, Director of Cybersecurity at @Teradata, @DinisCruz, Founder and CEO of The Cyber Boardroom, @AviHein, our Senior Product Marketing Manager, and @ek121268, our VP of
1
2
8
The Industry’s Fastest-Growing Secure Container Catalog via @chainguard_dev, by @lorenc_dan
https://t.co/XWLuUpKCR9
chainguard.dev
Our Chainguard Containers catalog now has more than 1,700 minimal, zero-CVE images, rebuilt from source every day – industry-leading in both breadth and depth.
0
1
2
Announcing Kernel-Independent FIPS for Java via @chainguard_dev
https://t.co/LtnLftL7SE
chainguard.dev
Kernel-Independent FIPS is now available across the full catalog of Chainguard FIPS images for Java, simplifying and accelerating compliance for FedRAMP ATO.
0
2
2
Today, we're announcing our first hosted infrastructure product: pyx, a Python-native package registry. We think of pyx as an optimized backend for uv: it’s a package registry, but it also solves problems that go beyond the scope of a traditional "package registry".
80
291
3K
We’re excited to announce the launch of the Chainguard Partner Program – a global channel initiative designed to help partners deliver trusted open source software to their customers. 🤝 When we empower the right partners, we scale trust. 💜 https://t.co/8o1OwWK72P
0
2
9
Chainguard is among the fastest-growing cybersecurity unicorns. Co-founder @lorenc_dan and new CISO Quincy Castro share their ambitious roadmap to expand .@chainguard_dev 's secure-by-default libraries to include Python, Java and new Linux distro.
darkreading.com
Chainguard provides DevSecOps teams with a library of "secure-by-default" container images so that they don't have to worry about software supply chain vulnerabilities. The startup is expanding its...
0
2
9
Chainguard let me sneak in a blog post about SLSA and secure build. There's a bunch of really smart people at this company doing cool and hard shit so here's some of it. https://t.co/EIuVyEEbZu
chainguard.dev
Chainguard goes through all the necessary steps to make things SLSA 3 compliant. Get the details on how we do it.
0
1
5
Theory: you need to have good vibes to be able to vibe code well.
0
1
9
Azul And ChainGuard Team Up-"Azul has clearly seen that potential by basing its JDK build on Chainguard's hardened images".On IProgrammer▶️ https://t.co/j53vEtk0jj
@AzulSystems @chainguard_dev @lorenc_dan
#java #azul #jdk #openjdk #chainguard
0
1
4
Chainguard now has Helm Charts for some common image bundles -- see how you can use them in this video! https://t.co/88ZvnfICfC
0
1
4
Claude Code might be the best piece of software ever written.
5
2
24
🤝 Excited to announce our partnership and integration with @chainguard_dev. It brings visibility of Chainguard's zero-CVE distroless images into Orca's platform. ✅ Clear security intelligence for teams ✅ Faster shipping for developers 🚀 See how: https://t.co/rLSeyk0wUn
1
3
11